DNS response not accepted by DNS client - c

I am working on creating a fake DNS response for my homework.
I am able to successfully send the spoofed response before the actual response of the DNS server (verified by packet capture)
Packet capture of DNS responses:
=======================================================================
MY FAKE DNS RESPONSE
--------------------
Wed Apr 20 22:04:25 2016 Ether-type: IP (0x0800)
Source MAC Address: 00:0c:29:b6:95:c8 Destination MAC Address: 00:0c:29:0f:e9:96
Source IP Address: 192.168.88.132 Destination IP Address: 192.168.88.131
UDP packet Source Port: 53 Destn Port: 37837 UDP Length = 46
============
UDP PAYLOAD:
============
2d 97 81 80 00 01 00 01 00 00 00 00 02 69 6e -............in
05 79 61 68 6f 6f 03 63 6f 6d 00 00 01 00 01 .yahoo.com.....
c0 0c 00 01 00 01 00 00 02 58 00 04 9b 21 11 .........X...!.
44 D........X...!.
=======================================================================
ACTUAL DNS RESPONSE
-------------------
Wed Apr 20 22:04:25 2016 Ether-type: IP (0x0800)
Source MAC Address: 00:50:56:e9:cd:36 Destination MAC Address: 00:0c:29:0f:e9:96
Source IP Address: 192.168.88.2 Destination IP Address: 192.168.88.131
UDP packet Source Port: 53 Destn Port: 37837 UDP Length = 89
============
UDP PAYLOAD:
============
2d 97 81 80 00 01 00 03 00 00 00 00 02 69 6e -............in
05 79 61 68 6f 6f 03 63 6f 6d 00 00 01 00 01 .yahoo.com.....
c0 0c 00 05 00 01 00 00 00 05 00 0f 06 66 64 .............fd
2d 66 70 32 03 77 67 31 01 62 c0 0f c0 2a 00 -fp2.wg1.b...*.
01 00 01 00 00 00 05 00 04 62 8b b7 18 c0 2a .........b....*
00 01 00 01 00 00 00 05 00 04 62 8b b4 95 ..........b...*
=======================================================================
As you can see my fake response is arriving before the actual DNS response.
But for some reason, the DNS client always accepts the later (genuine) response.
Questions:
Why is my DNS response not accepted by DNS client even when it
arrives before the actual one ?
Is it because of erroneous DNS response packet format ?
Is it because the IP address of fake response is different from actual one ?
Are there any DNS client debugs/logs
which can help me find out why my response is not accepted by DNS client ?
Any other reason ?
The debug output is from Ubuntu 14.04
I am really stuck with this problem for 3 days and I am not able to figure out the reason. Any help is appreciated :)

In order for your fake DNS response to work properly, first: the UDP destination port, the DNS transaction ID, and the domain name being requested, must match the client request. I assume you already did this properly.
However, as mentioned by Stian, the DNS response source IP address must match the legitimate DNS server IP address; if not, it is dropped by the client. (AFAIK, the source MAC address does not need to match though.)
In order to set the source IP address by yourself, you need to create a RAW IP socket instead of a UDP socket, and forge a full UDP packet (fake DNS response) using a RAW IP packet. You can find here code snippets to create such a RAW IP socket and forge a UDP packet from RAW (including UDP checksum).

All socket connections has 4 parameters which identifies them. Source IP, Source Port, Dest IP and Dest Port.
In your example above, the Source IP for fake DNS UDP response is not correct, so the packet will never reach the socket. And if the source IP was correct, the non-matching MAC address might be blocked aswell, since it does not match with the ARP table (rpfilter).

Related

why my tcp syn message doesn't get tcp syn ack so i cant connect to server

i wrote a C code which is in an Embedded system. Clients can connect to me but i can't connect servers since they don't reply with syn ack back. In fact, they do nothing at all. Here is the frame(first 5 is the mac of my PC so i replaced them with 00):
00 00 00 00 00 00 12 48 07 06 20 03 08 00 45 00 00 34 E2 44 40
00 80 06 00 00 A9 FE 19 FC A9 FE 19 FE 00 50 1F 90 00 BC 61 4E
00 00 00 00 80 02 FA F0 8A 16 00 00 02 04 FF D7 01 03 03 08 01
01 04 02 //old hex bytes new below
Hi everyone. It is me back again. I ' ve reviewed the comments & answers, as as a result of that i have changed my code. Now i am trying to connect to my pc(server socket HERCULES 8080 port is being listened) my embedded system(client) via router. Also i found out my checksum calculation was wrong. I fixed it according to RFC 1071. I still can't get SYN ACK message after my SYN attempt. I am sharing new ethernet frame below(new answers are after 09.09.2021):
80 fa 5b 90 bf 5c 12 48 07 06 20 03 08 00 45 00
00 34 b4 00 40 00 80 06 00 00 c0 a8 01 6d c0 a8
01 64 00 50 1f 90 87 65 43 21 00 00 00 00 80 02
ff ff 06 64 00 00 02 04 ff d7 01 03 03 08 01 01
04 02
you can decode #: https://hpd.gasmi.net/ gives the same result as wireshark
Your IP is 169.254.25.252 which is within the Automatic Private Internet Protocol Addressing range.
This range is not routed on internet and you'll never get a reply
Salim
I found the solution. Copying hercules SYN frame was a mistake for me. I thought IPv4 header checksum must have been 0. However, when i corrected that frame it works properly now.

Unable to establish LAN session and establish IPMI v1.5 / RMCP session

I have cross-compiled the latest ipmitool 1.8.18 from GitHub and ran the same on the armv5 Linux board.
I am able to run the command like help and show version, but if try to read any values from the sensor with a command like
ipmitool -H 127.0.0.1 -U admin -P admin fru print
then it gives a below error,
Error: Unable to establish LAN session
Error: Unable to establish IPMI v1.5 / RMCP session
However, I am able to run ipmitool 1.8.11 version command successfully.
Successful 1.8.11 command output:
/var/tmp # ./ipmitool_1.8.11 -H 127.0.0.1 -U admin -vvv chassis power status
Password:
ipmi_lan_send_cmd:opened=[0], open=[371780]
opened=[1], open=[371780]
IPMI Request Session Header (level 0)
Authtype : NONE
Sequence : 0x00000000
Session ID : 0xbabb631a
IPMI Request Message Header
Rs Addr : 20
NetFn : 00
Rs LUN : 0
Rq Addr : 81
Rq Seq : 01
Rq Lun : 0
Command : 01
send_packet (53 bytes)
1a 63 bb ba 04 35 00 00 01 01 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 24 1e 00 00
24 1e 00 00 00
recv_packet (4 bytes)
41 01 40 00
Chassis Power is on
/var/tmp #
Failed ipmitool 1.8.18 command output with verbose, tried with -I lanplus as well:
/var/tmp # ipmitool -H 127.0.0.1 -U admin -vvv chassis power status
Password:
Sending IPMI/RMCP presence ping packet
send_packet (12 bytes)
06 00 ff 06 00 00 11 be 80 00 00 00
ipmi_lan_send_cmd:opened=[1], open=[453156]
IPMI Request Session Header (level 0)
Authtype : NONE
Sequence : 0x00000000
Session ID : 0x00000000
IPMI Request Message Header
Rs Addr : 20
NetFn : 06
Rs LUN : 0
Rq Addr : 81
Rq Seq : 01
Rq Lun : 0
Command : 38
send_packet (23 bytes)
06 00 ff 07 00 00 00 00 00 00 00 00 00 09 20 18
c8 81 04 38 0e 04 31
IPMI Request Session Header (level 0)
Authtype : NONE
Sequence : 0x00000000
Session ID : 0x00000000
IPMI Request Message Header
Rs Addr : 20
NetFn : 06
Rs LUN : 0
Rq Addr : 81
Rq Seq : 01
Rq Lun : 0
Command : 38
send_packet (23 bytes)
06 00 ff 07 00 00 00 00 00 00 00 00 00 09 20 18
c8 81 04 38 0e 04 31
No response from remote controller
Get Auth Capabilities command failed
ipmi_lan_send_cmd:opened=[1], open=[453156]
IPMI Request Session Header (level 0)
Authtype : NONE
Sequence : 0x00000000
Session ID : 0x00000000
IPMI Request Message Header
Rs Addr : 20
NetFn : 06
Rs LUN : 0
Rq Addr : 81
Rq Seq : 02
Rq Lun : 0
Command : 38
send_packet (23 bytes)
06 00 ff 07 00 00 00 00 00 00 00 00 00 09 20 18
c8 81 08 38 0e 04 2d
IPMI Request Session Header (level 0)
Authtype : NONE
Sequence : 0x00000000
Session ID : 0x00000000
IPMI Request Message Header
Rs Addr : 20
NetFn : 06
Rs LUN : 0
Rq Addr : 81
Rq Seq : 02
Rq Lun : 0
Command : 38
send_packet (23 bytes)
06 00 ff 07 00 00 00 00 00 00 00 00 00 09 20 18
c8 81 08 38 0e 04 2d
No response from remote controller
Get Auth Capabilities command failed
Error: Unable to establish LAN session
Error: Unable to establish IPMI v1.5 / RMCP session
/var/tmp #
Could someone please help with this?
Thanks

Zigbee Cluster Library Commands to a SmartThings Hub

I am trying to create a zigbee HA device. So far I have used https://nzfalco.jimdofree.com/electronic-projects/xbee-to-smartthings/ as well as the zigbee ZCL spec to get me to the point where I am sending commands on the HA Basic cluster. I am using the Digi XBee3 along with their xbee-java-library-1.3.0 library.
After sending the response to the SimpleDescriptor, my SmartThings hub sends me, what I think is a HA Read request for the version:
[Thread-2] DEBUG com.digi.xbee.api.DataReader - [COM6 - 9600/8/N/1/N] Packet received:
Packet: 7E001791286D97000206071B0000010800000104110017000100E1
Start delimiter: 7E
Length: 00 17 (23)
Frame type: 91 (Explicit RX Indicator)
64-bit source address: 28 6D 97 00 02 06 07 1B
16-bit source address: 00 00
Source endpoint: 01
Dest. endpoint: 08
Cluster ID: 00 00
Profile ID: 01 04
Receive options: 11
RF data: 00 17 00 01 00
Checksum: E1
I interpret this to be:
Profile 260 (HA), Cluster 0, frameControl=0, seq=97, command=0, attributes={1}
I am responding with version 0x20:
[Thread-0] DEBUG com.digi.xbee.api.ZigBeeDevice - [COM6 - 9600/8/N/1/N] 0013A20041B76396 (Fred) - Sending XBee packet:
Packet: 7E001C1110286D97000206071B000001088000010400000017010100002020A1
Start delimiter: 7E
Length: 00 1C (28)
Frame type: 11 (Explicit Addressing Command Frame)
Frame ID: 10 (16)
64-bit dest. address: 28 6D 97 00 02 06 07 1B
16-bit dest. address: 00 00
Source endpoint: 01
Dest. endpoint: 08
Cluster ID: 80 00
Profile ID: 01 04
Broadcast radius: 00 (0)
Transmit options: 00
RF data: 00 17 01 01 00 00 20 20
Checksum: A1
The spec is a bit confusing at this point. What should be in the ZCL Payload to respond with? The hub just ignores my response and tries the read again.

Pymssql won't connect to Azure SQL Server on Amazon Linux 2

I know this has been asked before, but I've tried every suggestion I could find online, and I'm still stumped.
I have a python (3.7) script which uses pymssql (2.1.4) to talk to an Azure SQL Server. This works fine on my local macOS machine. The trouble comes when I try to deploy it to an EC2 machine running Amazon Linux 2. When I try to connect I get:
self.conn = pymssql.connect(server=DBHelper.server, user=DBHelper.user, password=DBHelper.password, database=DBHelper.db)
File "src/pymssql.pyx", line 642, in pymssql.connect
pymssql.OperationalError: (20002, b'DB-Lib error message 20002, severity 9:\nAdaptive Server connection failed (myservername.database.windows.net:1433)\n')
Here is what the FreeTDS log says:
net.c:226:Connecting to 40.121.158.30 port 1433 (TDS version 7.1)
net.c:252:tds_open_socket: connect(2) returned "Operation now in progress"
net.c:372:tds_open_socket() succeeded
packet.c:742:Sending packet
0000 12 01 00 34 00 00 00 00-00 00 15 00 06 01 00 1b |...4.... ........|
0010 00 01 02 00 1c 00 0c 03-00 28 00 04 ff 08 00 01 |........ .(......|
0020 55 00 00 02 4d 53 53 51-4c 53 65 72 76 65 72 00 |U...MSSQ LServer.|
0030 a8 19 00 00 - |....|
packet.c:640:Received packet
0000 04 01 00 25 00 00 01 00-00 00 15 00 06 01 00 1b |...%.... ........|
0010 00 01 02 00 1c 00 01 03-00 1d 00 00 ff 0c 00 07 |........ ........|
0020 6c 00 00 03 00 - |l....|
login.c:1216:detected flag 3
login.c:534:login packet rejected
query.c:3797:tds_disconnect()
The thing is, I can log in and run queries using the command line tool tsql just fine. It's just from python that it won't connect. I'm using the same credentials.
Any suggestions would be much appreciated.
I gave up and switched to pyodbc, and that seems to be working. Apparently, pymssql is no longer supported, so it's better to use pyodbc anyway.

DNS Query Structure

When I am sending a DNS query to the DNS it returns the header with the format bit set.
Indicating there is a problem with the format, but I am failing to see what it is. Its possible I have misinterpreted the RFC, or misread it but right now I cant seem to work it out.
The DNS structure I am sending looks like this in hex.
Header
00 01 - ID = 1
01 00 - RD = 1
00 01 - QD = 1
00 00 - AN
00 00 - NS
00 00 - NR
Question for www.google.com
03 77 - 3 w
77 77 - w w
06 67 - 6 g
6f 6f - o o
67 6c - g l
65 03 - e 3
63 6f - c o
6d 00 - m 0
00 01 - QTYPE
00 01 - QCLASS
I then flip the bytes for any field that is two bytes, to convert to big endian for the network format. So each row of the header, and then QTYPE and QCLASS ...
Here's what a byte-by-byte hexdump of that query packet should look like (tested and working!):
00000000 00 01 01 00 00 01 00 00 00 00 00 00 03 77 77 77 |.............www|
00000010 06 67 6f 6f 67 6c 65 03 63 6f 6d 00 00 01 00 01 |.google.com.....|
I think your problem is that the third and fourth bytes of the packet (flags and rcode) are two single-byte fields, not one 2-byte field - it looks like you might be treating it as a 16 bit integer and swapping the bytes?
To get these you can use netcat and dig.
# nc –uip 53 > dnsreqdump
# dig www.example.com #localhost
# nc –u 8.8.8.8 53 <dnsreqdump >dnsrespdump
Now you can inspect them in hexedit or your favorite hex editor.
I tend to think that your problem depends on how are you actually "flipping the bits to convert to network format".
Typical C library implementations provide the htonl() function family to do the conversion from host into network order and viceversa.
Of course, without seeing the code, I cannot be sure that this is the problem.

Resources